TPM Measurements
The COMex in the switch tray is equipped with a server-grade CPU, connected to a discrete TPM. During boot, the firmware performs a measured boot and extends each measurement to the appropriate PCRs, in accordance with TCG standards.
Currently, attestation supports measurements of the core UEFI, drivers, and security configurations through PCRs 0 and 7.
TPM remote attestation reports these measurements and the platform's state externally.
A verifier queries the attester about its state and measurements
The TPM then sends a quote, signed by its Attestation Key
This quote serves as a cryptographic attestation of the device's state, including the PCRs measured during boot
An external verifier validates the quote and compares it against known good measurements
The following table describes the measurements returned by the TPM attestation feature, and whether they have a measurement reference:
CoMID Index
What is measured
Part of Reference?
1
Measurement Block Format
Yes
2
PCR0 -SRTM, BIOS, Host Platform Extensions, Embedded Option ROMs and PI Drivers
Yes
4
PCR1: Host Platform Configuration
No
6
PCR2:UEFI driver and application Code
No
8
PCR3:UEFI driver and application Configuration and Data
No
10
PCR4:Shim, Grub and kernel boot loaders
No
12
PCR5:Boot Manager Code Configuration and Data (for use by the Boot Manager Code) and GPT/Partition Table
No
14
PCR6:Host Platform Manufacturer Specific
No
16
PCR7:Secure Boot Policy, Secure boot Verification Authority
Yes